b"\x0cThe U.S. International Trade Commission is an independent, nonpartisan, quasi-judicial federal agency\nthat provides trade expertise to both the legislative and executive branches of government, determines the\nimpact of imports on U.S. industries, and directs actions against certain unfair trade practices, such as\npatent, trademark, and copyright infringement. USITC analysts and economists investigate and publish\nreports on U.S. industries and the global trends that affect them. The agency also maintains and publishes\nthe Harmonized Tariff Schedule of the United States.\n\n\n\n\n                                             Commissioners\n                                        Deanna Tanner Okun, Chairman\n                                        Charlotte R. Lane\n                                        Daniel R. Pearson\n                                        Shara L. Aranoff\n                                        Irving A. Williamson\n                                        Dean A. Pinkert\n\x0cOFFICE OF INSPECTOR GENERAL\n\n\n\n\n       UNITED STATES INTERNATIONAL TRADE COMMISSION\n\n                                  WASHINGTON, DC 20436\n\nVIA ELECTRONIC TRANSMISSION\n\nJune 23, 2010                                                             OIG-HH-017\n\nChairman Okun:\n\nThis memorandum transmits the Office of Inspector General\xe2\x80\x99s final report Audit on the\nPatching of ITCNet Workstations, OIG-AR-09-10. In finalizing the report, we analyzed\nmanagement\xe2\x80\x99s comments on our draft report and have included those comments in their\nentirety in Appendix A.\n\nThis report contains six recommendations for corrective action. In the next 30 days, please\nprovide me with your management decisions describing the specific actions that you will\ntake to implement each recommendation.\n\nThank you for the courtesies extended to my staff during this audit.\n\nSincerely,\n\n\n\nPhilip M. Heneghan\nInspector General\n\x0c\xc2\xa0\n\x0c                                 U.S. International Trade Commission\n                                              Audit Report\n\n\n                                                  Table of Contents\nResults of Audit ............................................................................................. 1\xc2\xa0\n\nProblem Areas & Recommendations .......................................................... 1\xc2\xa0\n   Problem Area 1: The Commission Does Not Measure the Patch Status of Workstations\n   ........................................................................................................................................ 1\xc2\xa0\n      Recommendation 1: We recommend that the CIO deploy a tool to measure the\n      patch status of workstations on ITCNet. ..................................................................... 2\xc2\xa0\n      Recommendation 2: We recommend that the CIO report monthly on patch status\n      of workstations to all senior management in the Commission. .................................. 2\xc2\xa0\n\n   Problem Area 2: The Responsibility for Patching Workstations is Unclear ................. 2\xc2\xa0\n     Recommendation 3: We recommend that the CIO assign the authority and\n     responsibility to one individual to maintain patches on all workstations on ITCNet. 3\xc2\xa0\n     Recommendation 4: We recommend that the CIO implement processes to manage\n     the patching of software approved by waiver. ............................................................ 3\xc2\xa0\n     Recommendation 5: We recommend that the CIO set up a process to remove\n     unapproved software from ITCNet. ............................................................................ 3\xc2\xa0\n\n   Problem Area 3: There is No System-wide, Automated Process for Patching\n   Workstations ................................................................................................................... 4\xc2\xa0\n     Recommendation 6: We recommend that the CIO implement an automated\n     patching process of all workstations on ITCNet. ........................................................ 4\xc2\xa0\n\nManagement Comments and Our Analysis ............................................... 5\xc2\xa0\n\nObjective, Scope, and Methodology ............................................................ 6\xc2\xa0\n\nAppendix A: Management Comments on Draft Report\xc2\xa0\n\n\n\n\nOIG-AR-09-10                                                       -i-\n\x0c\xc2\xa0\n\x0c                     U.S. International Trade Commission\n                                  Audit Report\n\n\n                                 Results of Audit\nThe purpose of this audit was to determine whether the process for patching ITCNet\nworkstations is materially and effectively reducing the Commission's risk.\n\nThe process for patching ITCNet workstations is ineffective and exposes the\nCommission\xe2\x80\x99s information and systems to material risk. On April 28, 2010 we reviewed\nthe patch status of 354 machines on ITCNet and found that:\n\n   \xef\x82\xb7   All workstations were missing High Severity patches\xef\x82\xbea High Severity patch is a\n       software change designed to prevent intruders from being able to run code of their\n       choice on our network or elevating their privileges to take control of ITCNet\n       workstations\n   \xef\x82\xb7   28,320 High Severity patches were missing on ITCNet workstations\n   \xef\x82\xb7   An average of 80 High Severity patches were missing per workstation\n   \xef\x82\xb7   236 workstations were missing a High Severity Microsoft Outlook patch that has\n       been available since January 10, 2006,\n   \xef\x82\xb7   308 workstations were missing High Severity Java patches\n   \xef\x82\xb7   307 workstations were missing High Severity Adobe Acrobat patches\n   \xef\x82\xb7   253 workstations were missing High Severity Flash Player patches\n\nThe patching process for workstations on ITCNet is ineffective because the Office of the\nCIO does not measure its patch status; responsibility for patching is unclear; and there is\nno automated process to patch all workstations. Each of these three problem areas will be\ndiscussed in detail in the rest of this report.\n\n\n\n\n                   Problem Areas & Recommendations\n\n                                     Problem Area 1:\n       The Commission Does Not Measure the Patch Status of Workstations\n\n\nThe Office of the CIO is not monitoring the patch status of ITCNet workstations. This\nlack of monitoring is partially responsible for the fact that workstations are not being\npatched. Our analysis of 354 workstations determined that High Severity patches were\nmissing from every machine tested. On average, each system was missing 80 High\nseverity patches.\n\n\n\n\nOIG-AR-09-10                               -1-\n\x0c                      U.S. International Trade Commission\n                                   Audit Report\n\nEffective management is only possible with consistent measurement. Because the Office\nof the CIO is not measuring the patch status of workstations, it is not managing the\nworkstation patching process.\n\nNot patching workstations on our network exposes more than just a single computer to\nrisk, rather it exposes all data and systems on ITCNet to risk. For example, the\nadministration of applications such as EDIS, HTS, and DataWeb require that staff use\nelevated credentials. Administration of these applications takes place on user\nworkstations. When a workstation is compromised, the attacker gains control of that\nworkstation and receives access to the elevated credentials in use on that workstation.\nAll that is required for complete compromise of any application being used at USITC is\nfor an attacker to exploit only one of the average 80 missing High Severity patches on\nany workstation in use by an application administrator. This weak link effectively\ncircumvents the other security applied to the network perimeter or the application itself.\n\nSenior management in the Commission\xe2\x80\x99s business units are not aware of the risks to the\nconfidentiality, integrity, and availability of data on their information systems because\nthey are not regularly informed of the status of workstation security.\n\nRecommendation 1:\n\nWe recommend that the CIO deploy a tool to measure the patch status of workstations on\nITCNet.\n\nRecommendation 2:\n\nWe recommend that the CIO report monthly on patch status of workstations to all senior\nmanagement in the Commission.\n\n\n\n                                     Problem Area 2:\n              The Responsibility for Patching Workstations is Unclear\n\n\nOur review of the workstations on ITCNet found that the Commission was missing a total\nof 28,320 High Severity patches on its workstations. Every workstation we tested was\nfound to be missing Microsoft patches.\n\nThird party software such as Java, Acrobat, and Flash Player are installed on every\nworkstation. If this software is not patched, it creates another attack vector. We did not\nfind any evidence that this third party software is being consistently patched. We\nidentified 308 workstations missing High Severity Java patches, 307 missing High\nSeverity Adobe Acrobat patches, and 253 missing High Severity Flash Player patches.\n\n\n\nOIG-AR-09-10                               -2-\n\x0c                     U.S. International Trade Commission\n                                  Audit Report\n\nDuring our interviews with OCIO staff, we learned that the Office of the CIO expects\nCommission staff to patch applications outside the scope of the CIO software baseline.\n\nIn interviews with non-OCIO users that had third party software installed on their\nworkstations, we asked \xe2\x80\x9cWho patches your software?\xe2\x80\x9d We received the following types\nof responses:\n    \xef\x82\xb7 \xe2\x80\x9cWhat\xe2\x80\x99s patching?\xe2\x80\x9d\n    \xef\x82\xb7 \xe2\x80\x9cI don\xe2\x80\x99t patch it.\xe2\x80\x9d\n    \xef\x82\xb7 \xe2\x80\x9cSometimes, it pops up a message about downloading a newer version, and I\n        always click \xe2\x80\x98No\xe2\x80\x99.\xe2\x80\x9d\n    \xef\x82\xb7 \xe2\x80\x9cDoesn\xe2\x80\x99t the CIO take care of all patching?\xe2\x80\x9d\n\nCommission users are unaware that the OCIO doesn\xe2\x80\x99t patch all of their software. While\nusers should be aware of the inherent risks of Internet browsing and email attachments,\nexpecting every user to implement technical mitigations creates a significant risk to all\nITCNet users.\n\nWe also noted that unauthorized software was running on ITCNet, and was not being\npatched. For example, Apple iTunes was running on 19 workstations and High Severity\niTunes patches were missing from all 19 of these workstations.\n\nIn order to effectively manage the patching process, a single individual should have the\nauthority and responsibility to patch ITCNet workstations.\n\nThe effects of the unclear roles (between the OCIO and users) are that workstations are\nnot patched and that the Commission information systems are vulnerable, and operate\nunder a high level of risk.\n\nRecommendation 3:\n\nWe recommend that the CIO assign the authority and responsibility to one individual to\nmaintain patches on all workstations on ITCNet.\n\nRecommendation 4:\n\nWe recommend that the CIO implement processes to manage the patching of software\napproved by waiver.\n\nRecommendation 5:\n\nWe recommend that the CIO set up a process to remove unapproved software from\nITCNet.\n\n\n\n\nOIG-AR-09-10                               -3-\n\x0c                     U.S. International Trade Commission\n                                  Audit Report\n\n\n                                    Problem Area 3:\n     There is No System-wide, Automated Process for Patching Workstations\n\n\nOur review of the patch status on workstations identified many instances of common\nstandard applications that have remained unpatched for years. For example, we found\nthat a High Severity patch released January 10, 2006 for Microsoft Outlook (MS-06-003)\nwas missing from 236 workstations. This software is part of the OCIO software baseline,\nand by policy, should be patched by the OCIO.\n\nHigh Severity patches for all software should be applied agency-wide within 3 days of\nrelease by their manufacturer. High Severity patches should be installed for most\nsystems on the same day a patch is released, because exploits are generated quickly from\nthe information provided as part of the patch. Any delay beyond the release date of a\npatch increases the risk exposure. For this reason, Microsoft preconfigures Windows\noperating systems to download and install patches every night.\n\nWe identified one system missing 297 High Severity patches.\n\nCommission staff should be protected from malicious content encountered while\nbrowsing the Internet or received via email. Unpatched workstations are missing these\nbasic protections, and greatly increase the risk of system compromise.\n\nThe Commission\xe2\x80\x99s current patching method demands significant resources because it is\nnot fully automated. Because it does not immediately apply all necessary High Severity\npatches, the Commission is operating under a high level of risk. As a result, the\nCommission does not have the most basic defenses to secure its workstations and its\nnetwork. The current patching process does not effectively protect Commission\ninformation or systems.\n\nRecommendation 6:\n\nWe recommend that the CIO implement an automated patching process of all\nworkstations on ITCNet.\n\n\n\n\nOIG-AR-09-10                              -4-\n\x0c                      U.S. International Trade Commission\n                                   Audit Report\n\n\n               Management Comments and Our Analysis\n\nOn June 16, 2010, Chairman Shara L. Aranoff provided management comments to the\ndraft audit report. The Chairman concurred with our assessment, and acknowledged that\nthe three problem areas highlighted present significant material risks.\n\nBased on the information obtained during the course of this audit, the Commission\nundertook immediate action to reduce its vulnerabilities through the replacement of most\nworkstations with a new, fully patched workstation.\n\nIn her comments, the Chairman reports that as of June 16, 2010, the aggregate number of\nmissing High Severity patches had decreased by 91.7%, from 28,320 to 2,333, and that\nthe number of systems fully patched had increased from 0 to 197 workstations.\n\nWe have continued to monitor the patch status since the original assessment, and our data\nconfirms a significant decrease in the number of missing patches and an increase in the\nnumber of fully patched workstations. As of June 16, 2010, the average number of\nmissing High Severity patches per workstation has decreased from 80 to 7, as seen in\nChart 1. When our testing began, no workstations were fully patched; Chart 2 details the\nincrease of fully patched workstations to 61%.\n\n                     Chart 1: Average Missing High Severity Patches.\n\n                     Average Missing High Severity Patches\n\n         90\xc2\xa0\n               80\xc2\xa0\n         80\xc2\xa0\n         70\xc2\xa0\n         60\xc2\xa0                    54\xc2\xa0\n         50\xc2\xa0\n         40\xc2\xa0\n                                                                34\xc2\xa0\n         30\xc2\xa0\n         20\xc2\xa0\n                                                                       11\xc2\xa0      7\xc2\xa0\n         10\xc2\xa0\n         \xe2\x80\x90\n\n\n\n\nOIG-AR-09-10                              -5-\n\x0c                      U.S. International Trade Commission\n                                   Audit Report\n\n                    Chart 2: Percentage of Workstations Fully Patched:\n\n                    Percentage of Workstations Fully Patched\n\n\n        70%\n                                                                         58%      61%\n        60%\n\n        50%\n\n        40%\n\n        30%\n                                                                  22%\n        20%\n\n        10%\n               0%              0%\n         0%\n\n\n\n\n                    Objective, Scope, and Methodology\nObjective\nThe objective of the audit was to answer the question, \xe2\x80\x9cIs the process for patching\nITCNet workstations materially and effectively reducing the Commission\xe2\x80\x99s risk?\xe2\x80\x9d\n\nScope\nThe original scope of this audit was intended to provide a comprehensive view of ITCNet\nto include all nodes, including servers, security and network infrastructure, and all other\naddressable devices. After discussions with the OCIO we reduced the scope to focus\nonly on workstations.\n\nThis audit covered all workstations on ITCNet and all software on these workstations,\nincluding operating systems and both major and minor applications. In addition, it\nevaluated the recommended patch status of the software installed on each machine.\n\nOn April 28, 2010, we assessed the patch status of all workstations residing in the\nstandard ITCNet workstation network range.\n\n\n\n\nOIG-AR-09-10                               -6-\n\x0c                     U.S. International Trade Commission\n                                  Audit Report\n\n\nMethodology\nA combination of automated tools, manual validity checks, and interviews with USITC\nstaff were used to gather and analyze information in order to determine the state of the\nCommission\xe2\x80\x99s patching process.\n\na. To analyze the patch status of the workstations on ITCNet, we first identified which\n   networks on ITCNet hosted workstations. To perform this task, we queried CIO staff,\n   and performed passive network and device discovery using Wireshark.\nb. To assess the patch status, we used Nessus, which we connected to each workstation\n   with credentials that permitted read access to the areas required to make the\n   assessment, administrative shares and the Windows Registry. While Nessus has the\n   ability to report on a wide range and severity of vulnerabilities, we reported only on\n   High Severity vulnerabilities, which can be used maliciously by intruders to run code\n   of their choice on our network or to elevate privileges to take control of our\n   workstations.\nc. To limit the risk inherent in scanning tools, we first scanned workstations and non-\n   workstations (printers) in the Office of Inspector General. After we validated the\n   results with manual checks, we scanned about ten percent of the workstations on\n   ITCNet. We validated those results and then on April 28, 2010 we scanned all known\n   ITCNet network ranges.\nd. We confirmed the results generated by Nessus through manual, independent\n   verification of affected file versions on user workstations.\ne. After analyzing the results, we conducted interviews with OCIO staff to gather\n   information on the potential causes.\nf. We evaluated the current patching process, specifically focusing on installation\n   procedures and patch-level assessment performed by the Office of the CIO.\ng. We interviewed non-CIO staff to gather knowledge of their understanding and\n   responsibility in the patching process.\n\nWe conducted this performance audit in accordance with Generally Accepted\nGovernment Auditing Standards (GAGAS). Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis\nfor our findings and conclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on\nour audit objectives.\n\n\n\n\nOIG-AR-09-10                               -7-\n\x0c\xc2\xa0\n\x0c               U.S. International Trade Commission\n                            Appendix A\n\n\n    Appendix A: Management Comments on Draft Report\n\n\n\n\nOIG-AR-09-10\n\x0c               U.S. International Trade Commission\n                            Appendix A\n\n\n\n\nOIG-AR-09-10\n\x0c\xe2\x80\x9cThacher\xe2\x80\x99s Calculating Instrument\xe2\x80\x9d developed by Edwin Thacher in the late 1870s. It is a cylindrical, rotating slide\nrule able to perform complex mathematical calculations involving roots and powers quickly. The instrument was used\nby architects, engineers, and actuaries as a measuring device.\n\x0c\x0c"